A few years ago I put out a series of posts on how to drastically increase your online security. Then I assembled that list on my Online Security page.
The reason I wrote the series of posts is because I found the conversation about online security was too technical for the very people than needed to hear the message the most. My goal was to go deep into the topic, explain the problem simply and then provide steps one needed to take to be more secure.
And although I’m guessing a few of my blog readers followed those posts and now have a more secure online presence, I know of no one that I personally inspired to take action. Maybe I didn’t make it simple enough? Maybe people just don’t care that their online accounts are secure? Or that people are just too lazy until the moment they are hacked and forced to take action? I don’t know.
Yesterday a brand new security flaw was discovered called Cloudbleed. The article Cloudbleed bug: Everything you need to know provides a good overview.
Services like Cloudflare help move information entered on those “https” websites between users and servers securely. What happened here is some of that secure information was unexpectedly saved when it should not have been. And to make matters worse, some of the saved secure information was cached by search engines like Google, Bing and Yahoo.
So it could have been a username or a password, a photo or frames of a video as well as behind-the-scenes things like server information and security protocols. At this time, there is no indication that any of this information was accessed by hackers.
The article advises that users change their passwords for sites that use Cloudflare and they link to a tool that will help you discover if they do.
I think their advice is solid for me, but not enough for the vast majority of internet users.
Because I use a Password Manager and I know with 100% certainty that I do not reuse a single password. Most users that I know reuse passwords all the time. So if the hackers got your FitBit, Medium or OKCupid password – remember we don’t know what they hacked at this time – what is to stop them from attempting to use that password to access other sites not affected by Cloudbleed? Nothing.
Let us imagine a hypothetical situation where hackers collected hundreds of thousands of usernames and passwords to various sites on the internet. They could use this data to attempt to access your email and/or financial sites on the hopes you use the same username and password.
So not only do you need to change the passwords of sites affected by Cloudbleed, but any sites that share the same username/password combo as a site affected by Cloudbleed.
I use LastPass and it warns me if I attempt to reuse a password. So I don’t. If one site gets compromised, the damage is contained. People have told me it is too much work to update all their passwords. Whatever. I think the piece of mind is worth it. Yes there is a time commitment to set everything up, but afterwards it is much easier to manage and respond to new security threats.